from the meddling-and-fiddling dept

Since around 2013 or so, Comcast has been injecting warning messages into user traffic streams. Sometimes these warnings are used to notify a customer that their computer may have been hacked and is part of a botnet. Other times, the warning messages inform users that they've (purportedly) downloaded copyrighted material as per Comcast's cooperation in the entertainment industry's "six strikes" Copyright Alert System (CAS), a program that pesters accused pirates until they acknowledge their villainy and receipt of "educational" materials on copyright.

More recently, Comcast has used the system to urge customers to upgrade to a newer modem, or to warn users in capped markets that they're about to reach their monthly usage allotment and will soon be paying overage fees:

While Comcast's efforts here may be well-intentioned, the act of fiddling with user traffic and injecting any content into the user data stream has long been controversial. Pretty much like clockwork over the last three years, you see stories popping up every few months or so explaining how letting such a fierce opponent of concepts like net neutrality fiddle with user traffic just isn't a particularly smart idea. Users have also consistently complained that there's no way to opt out of the warning messages.

But in addition to being annoying and a bad precedent, many think Comcast's efforts on this front open the door to privacy and security risks. iOS developer Chris Dzombak, for example, penned a blog post last week explaining how getting broadband users used to this level of
popup pestering by their ISP opens the door to hackers to abuse that expectation and trust via man-in-the-middle attacks:

"This might seem like a customer-friendly feature, but it’s extremely dangerous for Comcast’s users. This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse. Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer’s Comcast account and which might ask for financial information.

Any website could present its users an in-page dialog which looks similar to these Comcast alerts. The notification’s content could be entirely controlled by criminals hoping to harvest users’ Comcast account login information. This would give an attacker access to users’ email, which is a gateway to reset the user’s passwords on most other sites — remember, most password recovery mechanisms revolve around access to an email account.

Each time this subject pops up, Comcast's engineering folks are quick to point out that this is all perfectly ok because the company filed an informational RFC (6108) back in 2011 explaining what the company was up to. Usually this results in media outlets quieting down for a while until somebody new discovers the popups. But Dzombak is quick to correctly note that filing an RFC isn't some kind of get out of jail free card for dumb ideas:

"Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works. This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you.

First, let me point out that just publishing a memo that says you plan to do something, doesn’t mean that the thing you’re doing is acceptable.

Second, RFC6108 does not address this concern whatsoever. There’s a short section about security considerations, which largely boils down to this guidance: “…the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques. Finally, care should be taken to provide confidence that the web notification is valid and from a trusted party, and/or that the user has an alternate method of checking the validity of the web notification. …"

In short, that puts the onus on customers to know that these popup notifications should not ask for login information. But most users simply aren't going to know that, and would be easily fooled by a phony popup that mirrors this dialogue but redirects users to a malicious third-party website asking for their user credentials. This is just a snippet of HTML on an unencrypted website; there's no magic bullet way of being sure the web notification you're viewing "is from a valid and trusted party." Comcast told Dzombak his points are fair on Twitter last month, but still hasn't seriously addressed the problem.

Comcast has your e-mail address for notifications. There's really no reason to fiddle with user traffic. It's a horrible precedent that's not only annoying, but a potential privacy risk. Fortunately the problem may self-resolve as Comcast can't inject the messages into encrypted streams -- and encryption use overall is on the rise. Still, it's still not a particularly great precedent to let a company with a long, proud history of fighting net neutrality fiddle with data streams, however purportedly noble the intention.

from the great-schism? dept

Techdirt covered the WCIT circus in Dubai in some depth last year, since important issues were at stake. As many feared, after a moment of farce, it became clear that a serious schism in the ITU was opening up -- between those who wanted the Internet largely left alone to carry on much as before, with the possibly naïve hope that it might act as a vehicle of freedom, and those who wanted it regulated more closely, certain it could become an even better instrument of control.

Almost everyone has fled the organization except for a few established participants from China and Korea and their partners. Pretty much all of industry together with the G55 nations [who refused to sign the WCIT treaty] have left.

Just as telling is the subject-matter:

The contributions predominantly deal with the mechanics of pervasive surveillance and content control. This includes DPI mechanisms and use cases, filtering of content to local networks, control of individual user mobile phones, controls on peer-to-peer services, extensive regulatory controls on cloud computing facilities, and Big Data Analytics for extracting every nuance about individual users from real-time communications and stored data.

As Rutkowski rightly notes, given this continuing descent into police-state territory, there are now two paths for the ITU. The first is to pull back from the brink, and to return to a consensus-based approach that allows the G55 nations to participate in the development of basic Internet standards -- not those predominantly designed for surveillance.

Alternatively, the G89 nations who did sign the WCIT treaty may decide it is more important for their sections of the Internet to be firmly under their control than for there to be a single, unified set of Internet standards for the world. The schism would be formalized, with a more open G55 Internet linking up as best it could with the more closed G89 network. That would be a tragedy for humanity, but on the basis of the WCIT conference and the developments since then, it's certainly not something that can be ruled out.

from the look-at-that dept

Earlier this week, we wrote about how the ITU had secretly approved a standard for deep packet inspection behind closed doors. This was troubling on a number of different levels, including the idea that they're even trying to standardize such a thing, and that they're doing so in secret. However, after the news came out, Asher Wolf decided to tweet a simple question, asking if anyone had access to documents about the DPI standard. And a funny thing happened:

Toby Johnson, a PR/communications guy for the ITU, responded and offered to send the documents. Which he did. And then, five hours later, after Asher had spoken about them publicly and sent them around to a bunch of journalists, she got an email saying that the documents were for her eyes only, and not to publish or share them "in part or in whole."

Yes, the ITU is so incompetent that they can't even do secrecy right.

Richard Chirgwin has a pretty good rundown on how ridiculous the DPI standard is, but perhaps more bizarre, as Wolf points out, the documents show that the ITU didn't think it was worth studying the impact of such a standard before implementing one -- which would suggest (yet again) that the ITU appears to go about things backwards.

from the thought-police dept

Wizz points us to a speech that French President Nicolas Sarkozy recently gave in response to the death of the suspect in the Toulouse murders after the police shot him as he tried to escape, when they raided his apartment after a 32-hour standoff. As part of the speech, Sarkozy decided to use it as an opportunity to push for more anti-internet legislation, including a plan to criminalize visiting certain websites too often. Here's the video in French, with his comments coming around 2:20.

Translating the key line, he says:

Anyone who habitually visits Internet sites that advocate terrorism or carrying calls for hate or violence will be punished under criminal law.

It appears that there is already a law in France that similarly makes it a criminal offense to "habitually" visit child porn sites, and this is a push to expand that same law to terrorism, hate and violence sites (original French). Of course, there are all sorts of problems with this. Obviously, accessing child porn is a strict liability kind of thing, where it's clearly illegal. Merely reading about terrorism, hate or violence is not.

Also, there's a question of how do you know if someone "habitually" visits such sites, raising fears that Sarkozy wants to implement a pretty broad deep packet inspection spying system to make this work. This has, quite reasonably, raised significant concerns among human rights/free speech activists (original French) about just what Sarkozy is actually planning. Others point out that such a law almost certainly wouldn't pass French constitutional scrutiny.

Either way, just the idea is quite a dangerous leap. Criminalizing the visiting of websites because they contain information? If the content itself is illegal, go after those who create the website. Going after people for reading it reaches towards the level of establishing thought police. It also seems to greatly overestimate (as many politicians do) the power of a simple website to convince people of certain things. We see the same thing in the US with Senator Lieberman's grandstanding against terrorist content, which he wants banned and blocked in the US as well. It seems to assume that people are all complete suckers who, as soon as they read a terrorist pitch, automatically become terrorists. In reality, all they're really doing is legitimizing much of this ridiculous content, by suggesting that it really is "dangerous" and somehow must be criminalized.